PR back to optum#2
Merged
Merged
Conversation
- add vault config tests (env vars, defaults, all keys) - 33 -> 52 specs
- add Legion::Crypt::JWT module with issue/verify/decode operations - support HS256 (cluster secret) and RS256 (RSA keypair) algorithms - add convenience methods on Legion::Crypt (issue_token, verify_token) - add jwt settings block with configurable defaults - add jwt gem dependency (>= 2.7) - 88 specs passing, rubocop clean
Add VaultJwtAuth module for Vault JWT auth backend login and worker login helpers. Update cluster_secret for improved key handling. Expose JWT helpers through main Legion::Crypt entry point.
runs after ci passes on push to main. calls reusable release workflow for version detection, github release, and rubygems publish.
resolves non-deterministic ordering dependency in cluster_secret_spec. adds comprehensive specs for vault_jwt_auth module.
add JwksClient module for fetching and caching JWKS public keys, JWT.verify_with_jwks for RS256 token verification with issuer/audience validation, and Crypt.verify_external_token convenience method. bump to v1.4.0.
Legion::Crypt::MockVault provides thread-safe in-memory key-value store that eliminates the Vault dependency for local development. Supports read, write, delete, list, and connected? interface.
- Ed25519: key generation, signing, verification, Vault key storage - PartitionKeys: HKDF per-tenant key derivation with AES-256-GCM - Erasure: cryptographic erasure via Vault master key deletion - Attestation: signed identity claims with freshness checking - Add ed25519 gem dependency (~> 1.3) - Bump to 1.4.2
LeaseManager#cache_lease was not storing the :path from static lease definitions, so reissue_lease could never fire as a fallback when sys.renew failed or leases hit max_ttl. All three service credentials (RabbitMQ, PostgreSQL, Redis) would silently expire after their Vault TTL with no recovery. Also adds trigger_reconnect dispatch for PG/Redis reissue, and comprehensive INFO/WARN logging across the full lease lifecycle.
12 rescue blocks across 4 files (crypt.rb, vault_entity.rb, jwks_client.rb, vault_cluster.rb) were logging but not calling handle_exception for structured exception tracking. Also consolidated duplicate rescue branches in vault_entity.rb#ensure_entity.
add VaultEntity module for Phase 7 Vault identity tracking
…reissue leases on reauth Vault Kerberos auth issues non-renewable service tokens (2h TTL). When the token expires, Vault cascade-revokes all child leases (RabbitMQ, PostgreSQL, Redis), killing all three credential sets simultaneously regardless of their own TTLs. TokenRenewer now detects renewable=false and skips renew_self (which always fails for non-renewable tokens), going straight to reauth_kerberos. After reauth, it triggers LeaseManager.reissue_all to re-issue all leases under the new token. LeaseManager changes: - Add reissue_all method for bulk lease re-issuance after token rotation - Fix symbol/string key mismatch in push_to_settings (resolve_secrets! registers string keys via lease:// URIs, but cache_lease stores symbol keys from JSON parse) - Fix trigger_reconnect for PostgreSQL: use Sequel pool disconnect/reconnect instead of Data.shutdown+setup which tears down unrelated connections (Apollo SQLite) - Fix trigger_reconnect for Redis: use Cache.restart (the actual method) instead of Cache.reconnect (which doesn't exist) Closes #29 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…behavior - Version bump 1.5.8 → 1.5.9 - Changelog documents all fixes from #29 - Update trigger_reconnect specs: PostgreSQL now tests Sequel pool disconnect/reconnect, Redis now tests Cache.restart Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…vocation fix vault lease cascade revocation — handle non-renewable tokens and reissue on reauth
|
Iverson seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
…ebug Pass caller's level: through to Legion::Logging.log_exception instead of defaulting to :error. Also fix exception_log_message to suppress backtrace for :debug level (was only suppressed when backtrace was empty). Fixes LegionIO/LegionIO#155
fix: handle_exception respects level: kwarg (#155)
…rotation trigger_reconnect(:postgresql) previously called sequel.disconnect + sequel.test_connection, but Sequel bakes credentials into the pool at Sequel.connect time. The old approach silently reused stale credentials after Vault lease rotation, causing Apollo and other DB-backed services to lose access to data without any error indication. Now calls Legion::Data::Connection.reconnect_with_fresh_creds (added in legion-data 1.6.26) which tears down the pool and rebuilds it from current Settings values. Falls back to legacy path for older legion-data versions with an explicit warning. Reconnect failures now log at :error level (was :warn) since a failed reconnect means services are unavailable. Bump to 1.5.11.
fix(lease_manager): use reconnect_with_fresh_creds for PG credential rotation
legion-crypt had two shim files (lib/legion/logging.rb and lib/legion/logging/helper.rb) that redefined Legion::Logging::Helper#log with a CompatLogger. This permanently prevented TaggedLogger segment tags from appearing in log output for every module loaded after crypt. Since legion-logging >= 1.5.0 is a hard gemspec dependency, these shims serve no purpose. Also adds missing legion-json dependency.
Remove logging compat shims that shadowed TaggedLogger segments
Bump v1.5.13, add CHANGELOG entry
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.